Detecting Attacker Behavior With Splunk Based On TTPs

Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through SPL searches against all data the password utilized during the PsExec activity. Enter it as your answer.

I have tried utilizing various edited queries based on the three sections of locating psexec activity. I don’t find anything related to passwords or usernames but i do find where I think the specific activity occurred. I am completely stuck. I have also read the articles attached at the start of the psexec section to no avail. Any tips would be greatly appreciated!

Hi,
It’s so more simple than the examples given.
psexec is execute in the command line so try to search the term.

Like @sampaio.veiga has already pointed out, it is alot earlier than using the provided commands in the section. Remember SPL is able to take any keywords provided, so use the keywords stated in the question to streamline your search.

index=“main” sourcetype=“WinEventLog:Sysmon” Calltrace=“psexec.exe”

Cannot find even a single event with this, can you please elaborate more

Try a more broad query first when searching for psexec. Use it as a search term and drop the extension. SPL can handle it as a search term.

I ran the first command in the module. Although I am not sure if its suppose to be this easy

servicename | search something - might be usefull.

Find CommandLine that contains psexec, then look for password in an argument.

My solution:

index="main" CommandLine="psexec*.exe*-p*" 
| table CommandLine

I used i simple approach which this time worked quick - Used PsExec to search and stats ParentCommandLine to see the password